You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The file content/docs/operating/security.md contains the following passage:
For non-mutating endpoints, you may wish to set CORS headers such as Access-Control-Allow-Origin in your reverse proxy to prevent XSS.
However, this passage is problematic, because CORS is no defence against XSS. In fact, CORS is no defence at all; quite the opposite, since its goal is to relax the Same-Origin Policy.
This passage should be reworded or even removed.
The text was updated successfully, but these errors were encountered:
The file content/docs/operating/security.md contains the following passage:
However, this passage is problematic, because CORS is no defence against XSS. In fact, CORS is no defence at all; quite the opposite, since its goal is to relax the Same-Origin Policy.
This passage should be reworded or even removed.
The text was updated successfully, but these errors were encountered: